The U.S. Department of Health and Human Services Office for Civil Rights’ (OCR) recent imposition of a civil monetary penalty (CMP) against a Health Insurance Portability and Accountability Act of 1996 (HIPAA) covered entity demonstrates the need to ensure that HIPAA compliance programs are in place, are audited regularly, and emphasize the importance of promptly responding to and remediating alleged non-compliance (especially in response to direct requests from OCR).

On November 7, 2019, OCR announced the imposition of a $1.6 million CMP against the Texas Health and Human Services Commission (HHSC) based on findings that it had, among other violations, impermissibly disclosed the electronic protected health information (ePHI) of over 6,000 individuals through a publicly accessible application. This penalty is significant because OCR and parties under investigation typically reach a settlement agreement following a series of negotiations. Of the eight HIPAA enforcement actions resolved in 2019, OCR imposed CMPs in only one other case.

HHSC, which is part of the Texas Health and Human Services system, is responsible for the administration of numerous state health benefits programs, and provides regulatory oversight of long-term care facilities.  The state Department of Aging and Disability Services (DADS), the regulatory body that administers long-term care services for elderly individuals and individuals with intellectual and physical disabilities, came under the purview of HHSC in 2017.

On April 21, 2015, DADS discovered a compromise in a public-facing web application used by one of its programs that provides home and community-based services to people who are deafblind and have multiple disabilities. The application was designed to collect information regarding utilization management and review activities and report the information to the Centers for Medicare and Medicaid Services, and typically contained the names, addresses, Social Security and Medicaid numbers, and treatment and diagnosis information for beneficiaries of the program. DADS learned of the issue after an unauthorized user reported that they were able to access ePHI through the application without first supplying credentials. DADS determined that the ePHI of 6,617 individuals was publicly accessible due to this access issue in the application.

Following this discovery, DADS filed a breach report with OCR. Through its investigation, OCR determined that HHSC failed to comply with numerous HIPAA Privacy and Security Rule requirements from 2013-2017, including the failure to implement access controls in relation to ePHI, the failure to implement audit controls on the application on an unsecured public server, and the failure to perform an accurate, thorough, and enterprise-wide HIPAA Security Rule risk analysis.

Following this review, OCR issued HHSC a Letter of Opportunity, which provided the covered entity the chance to submit written evidence of any mitigating factors or affirmative defenses that OCR should take into consideration when making a determination on CMPs. HHSC did not provide any written evidence of mitigating factors or affirmative defenses, or contest OCR’s proposed findings. Significantly, HHSC failed to remediate its access and audit control deficiencies, and did not perform an enterprise-wide risk analysis until two years after the breach. For these violations, OCR imposed a penalty of $1,000 per day per violation, but noted that it could have imposed a penalty of up to $50,000 per day. OCR emphasized that the penalty was imposed after its efforts to reach an informal resolution failed, noting in the Letter of Opportunity that “the matter had not been resolved by informal means despite OCR’s attempts to do so.” (Emphasis added.)

As stated in OCR’s press release, “No one should have to worry about their private health information being discoverable through a Google search.” This enforcement action demonstrates that it is crucial for covered entities to ensure HIPAA compliance efforts are ongoing and remain current, but also for covered entities to take steps to promptly remediate and respond to alleged non-compliance when under investigation by OCR.